nixos/systemd-networkd: add NFTSet related options

[mvnetbiz]

Description of changes

Allow setting NFTSet= option in systemd-netword network files. This option is for automatically adding the interface's address, prefix, or index to a named nftables set. It is valid under [Address] for static addresses, as well as the various sections for dynamic configuration (DHCP, etc.)

Added a NixOS test that configures a machine that uses NFTSet on a statically configured address section, as well as a DHCPv4 section, and checks that both nft sets are modified by testing nft rules that match on the sets.

Things done

Tested that it works on a system with nftables configured.

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[philiptaron]

Documentation is here: https://www.freedesktop.org/software/systemd/man/latest/systemd.network.html#NFTSet=source:family:table:set

NFT is https://netfilter.org/projects/nftables/index.html

[mvnetbiz]

Does this need any validation on the option or a nixos test? This seems similar to recent changes like #318604.

[philiptaron]

I'd love to see a NixOS test that exercised these options. I'd also love to see a validator or a structured Nix type that reflects the four possible fields of source, family, table, and set.

[philiptaron]

Address documentation: https://www.freedesktop.org/software/systemd/man/latest/systemd.network.html#NFTSet=source:family:table:set

Do you think you need a validator? One seems possible given the documentation above.

[philiptaron]

DHCPv4 documentation: https://www.freedesktop.org/software/systemd/man/latest/systemd.network.html#NFTSet=

[philiptaron]

DHCPv6 documentation: https://www.freedesktop.org/software/systemd/man/latest/systemd.network.html#NFTSet=1

[philiptaron]

DHCPPrefixDelegation documentation: https://www.freedesktop.org/software/systemd/man/latest/systemd.network.html#NFTSet=2

[philiptaron]

IPv6AcceptRA documentation: https://www.freedesktop.org/software/systemd/man/latest/systemd.network.html#NFTSet=3

[mvnetbiz]

I can add a validator.

[mvnetbiz]

I added a check to validate that all fields are present. It looks like one of the more complex checks for a string option. I'm not sure if I should keep it as several assertions like this, or if I should build a string so it's kept to a single trace line? Also not sure if systemd-lib.nix is the appropriate place for this since it will probably stay specific to the one module.

[mvnetbiz]

@philiptaron I am not sure how I could use a "structured Nix type" where the option type is already a unitOption.

[philiptaron]

@mvnetbiz I'm about to be away from a computer for a week-ish. Please feel free to enlist someone else to keep reviewing! I like the direction I see on my phone but can't sign off due to inability to test.

[r-vdp]

The manual specifies a different way of defining tests, based on runTest instead of importing this.
See https://nixos.org/manual/nixos/stable/#sec-call-nixos-test-in-nixos